On Robust Key Agreement Based on Public Key Authentication Feng Hao School of Computing Science Newcastle University, UK [email protected]

On Robust Key Agreement Based on Public Key Authentication Feng Hao School of Computing Science Newcastle University, UK Feng.Hao@Ncl.Ac.Uk

1 On Robust Key Agreement Based on Public Key Authentication Feng Hao School of Computing Science Newcastle University, UK [email protected]

Abstract—This paper discusses public-key authenticated key group with another (additive) cyclic group defined over some agreement protocols. First, we critically analyze several authen- elliptic curve. The essence of the protocol remains unchanged. ticated key agreement protocols and uncover various theoretical The acute problem with the Diffie-Hellman key agreement and practical flaws. In particular, we present two new attacks on the HMQV protocol, which is currently being standardized is that it is unauthenticated [2]. While secure against passive by IEEE P1363. These attacks suggest the caution one should attackers, the protocol is inherently vulnerable to active attacks take when interpreting theoretical results from a formal model. such as the man-in-the-middle attack [6]. This is a serious We further point out that many of the protocol failures in limitation, which since 1976 has been motivating researchers the past are caused by sidestepping an important engineering to find a solution [3]–[5], [7], [9], [11], [13], [20]. principle, namely “Do not assume that a message you receive has a particular form (such as gr for known r) unless you can check To add authentication, we need to start with assuming this”. Constructions in the past generally resisted this principle on some shared secret. In general, there are two approaches. the grounds of efficiency: checking the knowledge of the exponent The first one assumes Alice and Bob share a symmetric is commonly seen as too expensive. In a concrete example, secret: a memorable password. Research following this line we demonstrate how to effectively integrate the zero-knowledge is commonly called Password Authenticated Key Exchange proof primitive into the protocol design and meanwhile achieve good efficiency. Our new key agreement protocol, YAK, has (PAKE) [3]–[5]. The second approach assumes Alice and Bob comparable computational efficiency to the MQV and HMQV share some asymmetric secret: each party possesses a unique protocols with clear advantages on security. Among all the related private key and his public key is known by others. In the past techniques, our protocol appears to be the simplest so far. We literature, protocols under this category are commonly called believe simplicity is also an important engineering principle. Authenticated Key Exchange (AKE) [7], [9], [11], [13], [20]. In this paper, we focus on the second category. To better differentiate it from the first category, we will call it Public I.INTRODUCTION Key Authenticated Key Exchange (PK-AKE). In the following In a seminal paper in 1976, Diffie and Hellman started the section, we will review the state-of-the-art in this field. public key research era by presenting a remarkably simple key agreement protocol based on the intractability of computing II.PASTWORK discrete logarithm [1]. The protocol works as follows. Suppose Before reviewing past techniques in detail, we start by two users are Alice and Bob. Let p be a large prime, and α summarizing three general principles. These principles are a primitive root modulo p. The original scheme operates in important because they can help explain most of the protocol ∗ the whole cyclic group Zp . Alice chooses a random value failures in the past. x x ∈R [1, p − 1] and sends α to Bob. Similarly, Bob chooses • The sixth principle – Do not assume that a message you y r y ∈R [1, p − 1] and sends α to Alice. Finally, both parties receive has a particular form (such as g for known r) can compute a common key K = αxy. unless you can check this [22]. Later, several changes are made to the original protocol to • The explicitness principle – Robust security is about improve security and efficiency. First, H(K) is used instead explicitness; one must be explicit about any properties of K as the session key where H is a one-way hash function. which can be used to attack a public key primitive, such This is to address the issue that some (least significant) bits as multiplicative homomorphism, as well as the usual of K may be weaker than others [2]. The second change is security properties such as naming, typing, freshness, the to move the key agreement operation from the whole group starting assumptions and what one is trying to achieve ∗ Zp to a large subgroup of prime order q where q|p − 1. This [22]. change is made to address the concern that an active attacker • The extreme-adversary principle – Robust security is to may confine the value K to a small subgroup [24]. However, protect against an extremely powerful adversary, such that as we will explain, this does not really solve the problem the only powers he does not have are those that would because the protocol is unauthenticated per se. Finally, it is allow him to trivially break any PK-AKE protocol [13]. increasingly popular to implement the Diffie-Hellman protocol These principles are simple and intuitive. The first two are using the Elliptic Curve Cryptography (ECC) [10]. Using time-honored guidance in designing robust cryptographic pro- ECC essentially replaces the underlying (multiplicative) cyclic tocols, defined by Anderson and Needham back in 1995 [22]. 2

The third one is a theoretical principle that we summarize a technique known as the “NAXOS trick” [28]. Similarly, Bob from [13]. This principle is particularly important because it uses H1(y, b) instead of y. The underlying assumption in the provides the ultimate definition of the "security" of a protocol NAXOS formal proofs is that the attacker has to steal both the [13]. In the following review, we will apply this extreme- ephemeral secret x and the static private key a in order to learn adversary principle to assess the actual robustness of key the exponent. This assumption plays a vital role in proving exchange protocols. security in the eCK model. However, one will naturally ask There is one big family of PK-AKE protocols based on the whether H1(x, a) itself forms part of the “session specific use of digital signatures [10]. The basic idea is to use a static secrets”. Allowing a powerful attacker to learn one transient private key to digitally sign ephemeral public keys (together secret x but denying him to learn another transient secret with some auxiliary inputs such as identities), so that man- H1(x, a) contradicts the extreme-adversary principle stated in in-the-middle attacks can be prevented. It was first described the NAXOS paper [13]. by Diffie, Oorschot and Wiener in the design of the Station- To-Station (STS) protocol [12]. Subsequent signature-based As stated in [13], there is a secondary reason for using protocols can be seen as variants of the STS protocol. H1(x, a) instead of x in NAXOX. That is to address the One well-known member in this family is the SIG-DH problem that “the random number generator of a party is protocol due to Canetti and Krawczyk [11]. This protocol is corrupted”. In that case, the ephemeral secret x will have low notable for its provable security in a formal model, commonly entropy. Consequently, an attacker may be able to uncover x known as the Canetti-Krawczyk (CK) model. The CK model say by exhaustive search. On the other hand, if the low-entropy defines a strong adversary who has the power to corrupt a x is combined with a high-entropy private key a to form session and learn all session-specific transient secrets. The goal H1(x, a), the exponent will have high entropy. As plausible is that a corrupted session must not impact the security of other as this analysis may sound, it fails to consider the correlation sessions. between the exponents. Figure 3 shows a replay attack if the The SIG-DH protocol is described in Figure 1. It operates random number generator is corrupted. Assume in one past ∗ session, Alice had transferred $1m to Charlie. Since x has in a subgroup of Zp of prime order q. The g is a generator (non-identity element) of the subgroup. The symbols A,ˆ Bˆ low entropy, with some non-negligible probability the same x denote the user identities and ga, gb are the users’ respective value may repeat in a future session. When that occurs, the static public keys. The rest symbols are self-explanatory. More attacker simply replays the old values Y and M as in the past details about the SIG-DH protocol can be found in [11]. session, to cause Alice to transfer money again. The provable security of SIG-DH is however disputed by This attack shows that hashing x together with a does not LaMacchia et al [13]. The argument centers on the defini- really solve any problem. Even worse, it may provide a false tion of the “session-specific transient secrets”. In [11], the sense of security. In fact, if the end user’s random number formal proofs only consider the session key and ephemeral generator is corrupted, no PK-AKE protocols can guarantee exponents as transient secrets. The SIG-DH protocol however security under that setting. The NAXOS protocol is of course does not explicitly specify a digital signature scheme. In fact, no exception. for common signature schemes, such as DSA, Schnorr or ElGamal, the signing operation will introduce an additional We now move on to study a different protocol: HMQV ephemeral secret (for randomization). If that randomization (see Figure 4) [7]. The HMQV protocol is modified from secret is revealed in a corrupted session, then the static private MQV [20] with the primary aim for provable security. The key will be disclosed. This will surely impact the security of modifications come in two flavors. First, HMQV uses a hash other sessions, thus invalidating the claim in [11]. The same function to derive d and e instead of a linear function as attack generally applies to signature-based PK-AKE protocols. defined in MQV. It also mandates the use of a hash function to To address the above deficiency, LaMacchia et al proposed derive the session key. Second, HMQV provably drops some an extended Canetti-Krawczyk (eCK) model [13]. The new mandated verification steps in MQV, including the verification model assumes the attacker can learn all – instead of parts – of of the Proof of Possession (PoP) of the private key during the the session specific secrets. Accordingly, the authors presented CA registration and the prime-order validation check of the a NAXOS protocol, and formally proved it secure under the ephemeral public key. eCK model. Their protocol is shown in Figure 2. The eCK model claims to be stronger than other formal The changes in the second category are highly controversial models such as the CK model [13]. However, this claim is despite that they are backed up by a formal model and disputed by Cremers [15]. He compares the theoretical prop- full proofs [7]. Dropping the public key validations is the erties between the the CK and eCK models, and demonstrates direct cause of several attacks against HMQV [14], [17]. In that a protocol proven secure in the eCK model may prove one example, Menezes and Ustaoglu demonstrated a small insecure in the CK model and vice versa. In other words, the subgroup confinement attack that could lead to the disclosure two models are simply incompatible: neither one is stronger of the user’s private key [14]. That attack assumes a corrupted than the other (also see [28]). session where the attacker can learn the ephemeral exponent. The problem in LaMacchia et al’s model is that the defini- This assumption is allowed in the original adversarial model in tion of “session specific secrets” is still ambiguous. Notice in HMQV, hence the attack is valid. In the subsequent submission Figure 2, Alice uses H1(x, a) instead of x on the exponent – to IEEE P1363 Working Group [8], Krawczyk revised the 3

Alice ( A,ˆ ga) Bob (B,ˆ gb) 1. x ∈ Z A,ˆ sid, gx R q −−−−−−−−−−−−−−−−−−−−−−−−−→ y y x ˆ 2. Verify signature B,ˆ sid, g ,SIGB(B,ˆ sid, g , g , A) y ∈R Zq ←−−−−−−−−−−−−−−−−−−−−−−−−−− x y 3. A,ˆ sid, SIGA(A,ˆ sid, g , g , Bˆ) Verify signature −−−−−−−−−−−−−−−−−−−−−−−−−−→ Alice and Bob compute κ = H(gxy)

Figure 1. SIG-DH protocol. The session identiﬁer sid is unique among all sessions owned by Aˆ, the initiator.

Alice (A,ˆ ga) Bob (B,ˆ gb) 1. x ∈ Z X = gH1(x,a) Verify X has prime order q R q −−−−−−−−−−→ 2. Verify Y has prime order q Y = gH1(y,b) y ∈ Z ←−−−−−−−−− R q a·H1(y,b) b·H1(x,a) H1(y,b)·H1(x,a) Alice and Bob compute κ = H2(g , g , g , A,ˆ Bˆ)

Figure 2. NAXOS protocol. The H1 and H2 are two independent hash functions.

Alice (A,ˆ ga) Attacker (pretend “Bob”) 1. x (repeat) X = gH1(x,a) Detect same X as in the past −−−−−−−−−−→ 2. Verify Y has prime order q Y = gH1(y,b) Replay old Y ←−−−−−−−−− Pay Charlie $1m M = Eκ(“Transfer $1m to Charlie”) Replay old M ←−−−−−−−−−−−−−−−−−−−−−−−−−−−− a·H1(y,b) b·H1(x,a) H1(y,b)·H1(x,a) Alice compute κ = H2(g , g , g , A,ˆ Bˆ)

Figure 3. Replay attack on NAXOS protocol if x has low entropy

Alice (A,ˆ ga) Bob (B,ˆ gb) 1. x ∈ Z X = gx Verify X 6= 0 R q −−−−−−→ 2. Verify Y 6= 0 Y = gy y ∈ Z ←−−−−− R q d = H¯ (X, Bˆ), e = H¯ (Y, Aˆ) Alice computes: κ = H((YBe)x+da) = H(g(x+da)(y+eb)) Bob computes: κ = H((XAd)y+eb) = H(g(x+da)(y+eb))

Figure 4. HMQV protocol. H¯ and H are two independent hash functions.

HMQV protocol by adding the following check1: Alice verifies subgroup elements s and s0 cancel each other out. Suppose the term YBe has the correct prime order and Bob does the H¯ works like a random oracle as assumed in HMQV (see same for XAd. This change prevents the attack reported in Figure 4). Then, for each try of s0, the probability of finding [14], but decreases the claimed efficiency of HMQV. The s0 · se = 1 is 1/w. It will be almost certain to find such s0 revised HMQV had been included into the IEEE P1363 after searching all w elements in Gw (if not then change a standards draft (2009-06-30) [29]. different z and repeat the procedure). Following the HMQV However, the revised HMQV still has flaws. First, we protocol, Bob sends Y = gz · s0 to Alice. Alice checks YBe present a new “invalid public key attack” that exploits the lax has the correct prime order and computes the session key CA requirement in HMQV. In both the original and revised κ = H((YBe)x+da) = H(gz·(x+da)). Because Bob knows versions of HMQV, CA is only required to check the submitted z, he can compute the same session key κ and successfully public key is not 0. The attack works as follows. Assume Bob authenticates himself to Alice. In fact, anyone can do the same (attacker) registers a small group element s ∈ Gw as the public pre-computation as above and authenticate to Alice as “Bob”. key where w|p − 1. Bob chooses an arbitrary value z ∈ Zq. For any PK-AKE protocol, the basic goal of authentication Let Y = gz · s0 where s0 is an element in the same small is to assure one party that the other party is the legitimate 0 subgroup Gw. Exhaustively, Bob tries every element s in Gw holder of the supplied public key certificate – more technically, such that YBe = gz · s0 · se = gz. In other words, the small someone who knows the private key [2]. However, in the HMQV case, the private key does not even exist, but the 1Actually, Krawczyk does not mandate this check in [8]. He specifies that authentication is successful. This indicates a protocol design such a check is necessary to thwart a strong adversary and not necessary if the error. adversary is less powerful. This is ambiguous. In this paper, we only analyze the stronger (or more secure) version of the revised HMQV, in which the We now describe a different “wormhole attack” on HMQV. additional check is in place. This attack works when the two parties use the same certificate 4

x III.THE YAK PROTOCOL 1. g Alice-1 Alice y 4. g (attacker) In this section, we explore a new approach to construct (server) m”) e $1 r to m nsfe the PK-AKE protocol. So far, almost all of the past PK- (“Tra 5. Ek AKE protocols [7], [9], [11], [13], [18] have sidestepped the wormhole sixth robustness principle that we explained in Section II. The 2. g x 3. g y reason has mainly been for the concern on efficiency: verifying 6. E k(“Tra nsfe Alice-2 the knowledge on the exponent is considered too expensive r to me $ 1m”) (attacker) [7], [11]. In the following sections, we will demonstrate how to effectively integrate the zero-knowledge primitive into the Figure 5. Worm-hole attack on HMQV protocol design and meanwhile achieve good efficiency. Our new PK-AKE protocol is called YAK2. For simplicity, we describe it in the DSA-like cyclic group setting [2], [10] (the protocol works basically the same in the ECDSA-like for self-communication. Self-communication is considered a setting where an additive cyclic group over some elliptic curve useful application in [7]. For example, a mobile user and the ∗ is used). Let G denote a subgroup of Zp with prime order q desktop computer may hold the same static private key (regis- in which the Computational Diffie-Hellman problem (CDH) is tering two public key certificates costs more). Krawczyk for- intractable. Let g be a generator in G (any non-identity element mally proved that self-communication is “secure” in HMQV in G can be used as a generator). The two communicating [7]. However, the formal model in [7] only considers the user parties, Alice and Bob, both agree on (G, g). talking to one copy of self, but neglects the possibility that the user may talk to multiple copies of self at the same time. A. stage 1: public key registration The following attack works similar to a typical “wormhole In stage 1, Alice and Bob obtain an authentic copy of attack” in wireless networks where the attacker replicates the each other’s static public key. A trivial method is that the identity from one place to another through a wormhole tunnel two meet in person and exchange public keys. However, this [6]. Figure 5 illustrates the steps of the attack: is not scalable. Hence, a Public Key Infrastructure (PKI) 1) Alice initiates the connection to a copy of herself by is normally needed to distribute authentic public keys: a sending gx. The connection is intercepted by Mallory Certificate Authority (CA) certifies users’ public keys and who pretends to be Alice-1. publishes the certificates that anyone can access.

2) Mallory starts a separate session by pretending to be CA Registration: Alice selects a random secret a ∈R Zq Alice-2. He initiates the connection by sending to Alice as her private key and sends to the CA ga with a knowledge x g (this is possible because HMQV does not require the proof for a. Similarly, Bob selects b ∈R Zq as his private key sender to know the exponent). and sends to the CA gb with a knowledge proof for b. 3) Alice responds to Alice-2 by sending gy. The CA needs, among several things, to verify the appli- 4) Mallory replays gy to Alice as Alice-1. cant’s identity (Distinguished Name) and check the knowledge 5) Alice derives a session key and sends an encrypted proof to ensure the Proof of Possession (PoP) of the private message to Alice-1, say: “Transfer to me $1m”. key. The PoP check is a mandatory requirement for the CA 6) Mallory replays the encrypted message to Alice. (After in PKI standards such as PKCS#10 (see [19]). In practice, the receiving money from Alice, Mallory disconnects both CA may delegate the responsibility of verifying the person’s connections.) identity to a Registration Authority (RA). The user is normally In the above attack, we only demonstrated the attack against required to visit the RA in person with a passport or ID card the two-pass HMQV (implicit authentication). For the three- to prove his real identity. pass HMQV (explicit authentication), the attack works exactly During the registration, the applicant needs to demonstrate the same. Also, we have omitted the identities in the message the Proof of Possession (PoP) of the private key. There are flows, because they are all identical (see [7]). several ways to do this. One way is to use Zero Knowledge This attack is essentially an unknown key sharing attack. Proof, which is a well-established primitive in cryptography Alice thinks she is communicating to a mobile user with the [10]. This technique allows the applicant to prove the knowl- same certificate, but she is actually communicating to herself. edge of the exponent without leaking it. The attacker does not hold the private key, but he manages to As an example, we can use Schnorr’s signature, which establish two fully authenticated channels with Alice (server). is one of the most well-known non-interactive Zero Knowl- In a different attacking scenario, if Alice sends an encrypted edge Proof techniques. Let H be a publicly-known secure hash function. To prove the knowledge of the exponent for command “shutdown” to its mobile user in step 5, the same x v command may be replayed back to Alice to shutdown the X = g , one sends {SignerID, OtherInfo, V = g , r = system. This shows such an attack can be dangerous. The v − x · h} where SignerID is the unique user identifier (also same attack also applies to other PK-AKE schemes, including called Distinguished Name [2]), OtherInfo includes auxiliary NAXOS [13], KEA+ [9], CMQV [18], MQV [20], and SIG- 2The yak lives in the Tibetan Plateau where environmental conditions are DH [11] etc. extremely adverse. 5 information to indicate this is a request for certifying a few methods here. A simple method is to use a hash function static public key and may include other practical information as presented in [3]: Alice sends H(H(κ0)) to Bob and Bob 3 0 0 such as the name of the algorithm etc , v ∈R Zq and replies with H(κ ). Another straightforward way is to use κ h = H(g, V, X, SignerID, OtherInfo). The receiver checks to encrypt a known value (or random challenge) as explained that X lies in the subgroup of prime order q and verifies in [2]. Other approaches make use of MAC functions as that V = grXh (computing grXh requires roughly one suggested in [7], [9]. Given that the underlying functions are exponentiation using the simultaneous computation technique secure, these methods do not differ significantly in security. [10]). We will assess the cost in more detail in Section VI. IV. SECURITY ANALYSIS B. stage 2: key agreement In this section, we analyze the security of the YAK protocol Alice and Bob execute the following protocol to establish a with rigorous security proofs. Many PK-AKE papers in the session key. For simplicity of discussion, we explain the case past generally adopted the following steps to prove security that Alice and Bob have different certificates (a 6= b) and will of a protocol [14]. cover self-communication later. 1) Security model – To specify the capabilities of an x YAK protocol: Alice selects x ∈R Zq and sends out g adversary and how it interacts with honest parties. with a knowledge proof for x. Similarly, Bob selects y ∈ Zq 2) Security definition – To describe the goals of the adver- and sends out gy with a knowledge proof for y. sary. 3) Security proofs – To prove that breaking the protocol When this round finishes, Alice and Bob verify the re- would imply solving some computational problem that ceived knowledge proof to ensure the other party possesses is widely believed to be intractable. the ephemeral private key. As explained earlier, we can use However, the practical results have been less than being Schnorr’s signature to realize the knowledge proof. Both satisfactory. An outstanding problem lies in how to define a parties also need to ensure the identity (i.e., SignerID) in “right” security model in the first place. A right model should the knowledge proof must match4 the one in the public key specify a full set of the attacker’s capabilities, hence covering certificate. attacking scenarios comprehensively. Although many formal Upon successful verification, Alice computes a session key models have been proposed in the PK-AKE field, it is far κ = H((gy · gb)x+a) = H(g(x+a)(y+b)). And Bob computes from clear which exact model is the “right” model [14], [15]. the same key: κ = H((gx · ga)y+b) = H(g(x+a)(y+b)). The All the existing security models (such as CK, eCK, HMQV protocol has the same round efficiency and symmetric property etc models) aim to model an adversary in terms of what he as the original Diffie-Hellman protocol [1]. Figure 6 shows is capable of. This methodology evolves progressively over how to implement the protocol in two passes, as one party the past two decades by adding more power to the attacker. usually needs to initiate the connection. Still, the resultant models only cover a subset of the attacker’s The two-pass YAK protocol can serve as a drop-in re- capabilities. In consequence, several protocols that have been placement for face-to-face key exchange. This is equivalent proven secure in a formal model turn out to be vulnerable to to Alice and Bob meeting in person and secretly agreeing a some attacks [14]. In addition, different models are sometimes common session key. After Alice and Bob depart, they can found incompatible: a protocol proven secure in one model use the session key to secure the communication. So far, the may prove to be insecure in another model and vice versa authentication is implicit: Alice believes only Bob has the (see [15]). same key and vice versa. In some applications, Alice and Clearly, there is a gap between theory and practice in the Bob may want to perform an explicit key confirmation before specification of a formal model. Bridging the gap has become starting any communication just to make sure the other party an active research topic in recent years [15]. actually holds the same session key. In this section, we will attempt a new approach – instead The method for explicit key confirmation is generally ap- of defining what the attacker is capable of, we focus on what plicable to all key exchange protocols. Often, it is considered the attacker is not capable of. The intuitive idea is to give the desirable to use a different key from the session key κ for fewest possible restrictions on what an attacker is able to do key confirmation5, say use κ0 = H(K, 1). We summarize a (this idea was originally from LaMacchia et al in [13]). As 3This is similar to the existing practice in OpenSSL that generates a we will demonstrate, this new approach allows capturing the Certificate Signing Request (CSR) for a new DSA key pair. The DSA private crux of the extreme-adversary principle more directly. key is used to sign the entire request. Verifying the signature is equivalent to verifying the PoP of the private key. Here, we prefer Schnorr’s signature, First, we need to define what are the “session specific because it is simpler and has well-understood security proofs. secrets” in YAK. Simply put, they include all transient secrets 4By “match”, we mean the identity is identical to the one on the X.509 in a session. More specifically, the session specific secrets – for certificate, or the two have an unambiguous one-to-one mapping relationship. Alice – include the ephemeral exponent x and the raw session The latter is useful to provide anonymity in key agreement: both parties use pseudo-identities to prove the possession of the ephemeral exponents and they key K. This definition has covered the randomization factor v know how to match the pseudo-identities to real ones at the two ends. in Schnorr’s signature since one can easily compute v from x 5Using a different key for key confirmation has a (subtle) theoretical advan- and r (the r is part of Schnorr’s signature). It has also covered tage that after the key confirmation, the session key is still indistinguishable from random. However, this trick has limited practical significance and is not the session key κ, which can be computed from H(K). If the used in for example [3], [4]. attacker is powerful enough to access Alice’s session state, 6

Alice (A,gˆ a) Bob (B,ˆ gb) x 1. x ∈R Zq g ,KP {x} Verify KP {x} −−−−−−−−→ y 2. Verify KP {y} g ,KP {y} y ∈R Zq ←−−−−−−−− Compute κ = H(g(x+a)(y+b)) κ = H(g(x+a)(y+b))

Figure 6. YAK protocol we assume he can learn all of the transient secrets including transient secrets in an arbitrary session. The only power that x and K. he does not have is the access to Alice’s private key. In summary, a powerful attacker is able to learn all transient Theorem 1 (Private Key Security): An attacker can not secrets in a session, but he cannot learn the user’s private key. learn Alice’s static private key even if he is able to learn all Learning the private key would allow the attacker to trivially transient secrets in any of Alice’s sessions. break any PK-AKE protocol. proof. As shown in Figure 7 (1), an extremely powerful First, we formulate the following requirements for the PK- attacker completely corrupted Bob and has access to all of AKE protocol. the transient secrets in Alice’s session. The knowledge proofs7 1) Private key security: An attacker cannot learn the user’s defined in the YAK protocol prove that the attacker knows the static private key even if he is able to reveal all session values of y and b (i.e., these variables are not correlated with specific secrets in any session. a). He also knows Alice’s public key ga. By revealing Alice’s 2) Full forward secrecy: Session keys that were securely transient secrets in a session, he learns x and the raw session established in the past uncorrupted sessions will remain key K = g(a+x)(b+y). But learning K does not give Mallory secure in the future even when both users’ static private any information, because he can compute it by himself from keys are disclosed. {x, y, b, ga}. Since Mallory knows the values of {x, y, b, ga}, 3) Session key security: An attacker cannot compute the he can effectively simulate the same session all by himself session key if he impersonates a user but has no access by defining arbitrary values of x, y, b. Clearly, he does not to the user’s private key. learn any information about Alice’s private key from his own These requirements summarize essential security properties simulations. of a PK-AKE protocol. They even cover those that are missing Intuitively, the above proof assumes an attacker simulating a in the existing formal model definitions. The first requirement list of transcripts that include arbitrary values of {x, y, b}. By is generally not covered by a formal model, but we think it corrupting any of Alice’s sessions, the attacker learns nothing is crucially important. For example, both the SIG-DH [11] more than what he can possibly simulate. and (original) HMQV [7] protocols have been formally proven On the other hand, the same simulation does not work in secure in the CK model. Yet attacks reported in [13] and [14] NAXOS and HMQV. Take NAXOS as an example. Assume show that in both protocols, an attacker is able to disclose the Bob (the attacker) sends to Alice ga. By accessing Alice’s 6 user’s private key. In the second requirement , we use “full” transient items within the key derivation function, Bob learns to distinguish it from the “half” forward secrecy, which only ga·a. Bob cannot simulate the session because he cannot allows one user’s private key to be revealed (e.g., KEA+ [9]). compute ga·a by himself. In another session, Bob can send 2 3 In the past literature it is common to add “perfect” before to Alice ga and then learn ga . Similarly, he can learn 4 5 “forward secrecy” [7], [9], [11]. However, we drop “perfect” ga , ga .... In other words, every corrupted session gives the here because it has no concrete meaning [10], [20]. The third attacker new information that he cannot learn by simulation. requirement concerns both the secrecy and authenticity of The same argument applies to HMQV. the session key. It has already covered the Key Compromise The use of the knowledge proofs greatly simplifies the Impersonation (KCI) attack [20]. The “invalid public key” analysis. Without the knowledge proofs, the simulation in attack in Section II indicates that HMQV does not satisfy this our proof will not work. We illustrate this with an example. property. Assume there were no knowledge proof (i.e., no PoP check) The strategy of our design is to make the best use of well- during the CA registration. Mallory can choose a small sub- established techniques such as Schnorr’s signature. This allows group element, e.g., s ∈ Gw where w|p − 1. He then registers us to leverage upon the provable results of Schnorr’s signature s/gy as his static public key. During the key agreement, Alice (see [10], [27]), and thus greatly simplify the security analysis. will compute K = (s/gy × gy)x+a = sx+a. If Mallory First, Let us discuss the private key security. Without loss can also reveal Alice’s ephemeral secret x, he can compute of generality we assume Alice is honest. Unless mentioned a mod w. This is the same kind of the small subgroup attack otherwise, this assumption will be made throughout the rest as reported against HMQV [14]. Note that in this case, the of the analysis. As shown in Figure 7 (1), Mallory totally simulation in the proof no longer works: Mallory does not controls Bob’s static and ephemeral private keys; additionally, know the private key b; in fact, the value b does not even exist he has the extreme power that allows him to learn Alice’s 7If Schnorr’s signature is used to realize the knowledge proof, we need to 6It is essentially the same as the weak Perfect Forward Secrecy (wPFS) add a random oracle assumption (i.e., a secure one-way hash function), as defined in [7]. Schnorr’s signature is provably secure in the random oracle model. 7

Figure 7. The oracle diagrams for the attacker. Alice is honest. because the registered public key is a small subgroup element. the original Diffie-Hellman protocol [2]. This example shows the importance of the sixth robustness Finally, we study the session key security requirement. As principle: “Do not assume the message you receive has a shown in Figure 7 (3), Mallory does not hold Bob’s private particular form (such as gr for known r) unless you can check key but he tries to impersonate Bob. We assume the powerful this” [22]. Mallory even knows Alice’s private key a. The only power he Next, we discuss the full forward secrecy requirement. does not have is the access to Alice and Bob’s session states. In the definition, we specify that the past sessions must be If Mallory can access Alice’s session state, he can impersonate “uncorrupted”8, namely the session-specific transient secrets anyone to Alice – he just needs to “steal” the session key that must remain unknown to the attacker. In YAK, this means x, Alice computes in the transient memory. Similarly, if Mallory y and K must remain unknown to the attacker. Obviously, can access Bob’s session state, he can impersonate Bob to knowing K would have trivially broken the past session. anybody by waiting until Bob computes the session key and Also, if Mallory can learn any ephemeral exponent x or then stealing it. y in the past session in addition to knowing both parties’ Note in this case, the assumed attacker is less powerful static private keys (see Figure 7 (2)), he has possessed the than the one described in Theorem 1. Previously, the attacker power to trivially compromise any PK-AKE. This contradicts was able to corrupt an arbitrary session of Alice’s or Bob’s. the extreme-adversary principle. Therefore, in the following He however had learned no useful information than what he analysis, we assume the attacker knows both Alice and Bob’s can simulate (see Theorem 1). On discussing the session key private keys, but not any transient secrets in the past session. security, we assume the attacker no longer has access to either Theorem 2 (Full Forward Secrecy): Under the Computa- user’s session state. This change is necessary, and is consistent tional Diffie-Hellman (CDH) assumption, an attacker who with the extreme-adversary principle. knows both parties’ static private keys but not transient secrets Theorem 3 (Session Key Security): Under the Computa- in the past session cannot compute K. tional Diffie-Hellman (CDH) assumption, an attacker who proof. To obtain a contradiction, we assume the attacker can impersonates Bob but does not have access to Bob’s static compute K = g(a+x)(b+y). The attacker knows the values of private key can not compute K. x y a, b (see Figure 7 (2)). The ephemeral public keys g and g proof. The attacker does not possess Bob’s static private key, ab ay are public information. Therefore, he can compute g , g or have access to either Alice or Bob’s session state. To bx and g . Now, we can solve the CDH problem as follows: obtain a contradiction, we assume Mallory is able to compute x y given g and g where x, y ∈R Zq, we use the attacker as an K = g(a+x)(b+y). Bob’s public key gb is public information. xy ab ay bx oracle to compute g = K/(g · g · g ). This, however, Mallory knows Alice’s private key a. The knowledge proof in contradicts the CDH assumption. the protocol proves that Mallory also knows the value y (see Figure 7 (3)). Hence, he can compute gab, gay and gxy. Now, The above proof shows that the the raw key material K is b x incomputable to the attacker. In practice, it is not appropriate to we can solve the CDH problem as follows: given g and g where x, b ∈R Zq, we use Mallory as an oracle to compute directly use the raw K as a session key. A common approach bx ab ay xy is to apply a key derivation function such as a hash function g = K/(g ·g ·g ). This, however, contradicts the CDH to produce a key of the desired length, so the session key is assumption. κ = H(K). This key derivation works exactly the same as in Again, the knowledge proofs are essential in the above proof. We use an example to illustrate this. Let us assume 8Krawczyk defines a weak Perfect Forward Secrecy (wPFS) and a strong Perfect Forward Secrecy (sPFS) [7]. We observe that both definitions are based there were no knowledge proof required for the ephemeral on essentially the same assumption: the past sessions were uncorrupted. The public key. Now, Mallory can send Y 0 = g−b to Alice and only difference is that the latter requires explicit assurance while in the former successfully force the session key to be κ = H(1). The definition the assurance is implicit. As shown in [7], any two-pass PK-AKE protocol that fulfills wPFS also trivially satisfies sPFS by adding an explicit removal of the knowledge proof gives the attacker unrestricted key confirmation. freedom to fabricate a message of any form. Note validating 8 the order of Y 0 does not prevent the attack, because Y 0 has PKI standards). As explained earlier, it thwarts the worm-hole the correct prime order. Somehow, this example highlights the attack, because it explicitly requires the uniqueness of the user limitation of the prime-order validation: it only checks whether identity even in the self-communication mode. the message is within the designated group, but fails to check The resistance of YAK against all these attacks is largely whether it is correlated with other elements in the same group. attributed to the use of the Zero Knowledge Proof primitive. Using the knowledge proof restricts the attacker’s freedom Actually, the importance of the ZKP in security protocols has much more stringently, and defeats this attack. been known for over twenty years, why it has not been commonly applied in key exchange protocols? Many researchers V. SELF-COMMUNICATION worry that ZKP is too computationally expensive and using it in key exchange will make the protocol too inefficient. But, The user identity is an important parameter in the protocol we argue this worry is not justified, and we believe there is definition. In the past literature, almost all PK-AKE protocols no fundamental conflict between the protocol robustness and readily use the Distinguished Name (DN) in the user’s X.509 efficiency. In the following sections, we will further illustrate certificate as the user identity. Unfortunately, the practice of this point by comparing YAK with other schemes in detail in conveniently using DN for the identity carries over to the terms of security and efficiency. self-communication mode [7], which caused the “worm-hole” There are many PK-AKE protocols in the past literature. attack in Section II. Self-communication is a special case and However, we can only select a few; they include SIG-DH [11], should be handled differently. HMQV [7], MQV [20] and NAXOS [13]. These techniques To enable self-communication in YAK, we need to ensure are representative for a comparative analysis. MQV has be the SignerID in the Schnorr’s signature remains unique. This is widely standardized and applied in practical applications. The to prevent Bob from replaying Alice’s signature back to Alice rest are all well-known PK-AKE schemes with formal proofs and vice versa. One solution is to simply attach an additional under different formal models. Among them, HMQV is known identifier to the mobile stations using the same certificate. For as the “most efficient” [7] and NAXOS as the “most secure” example, when Alice (server) is communicating to the nth [13]. Other PK-AKE schemes can be seen as variants of these copy of herself (mobile station), Alice uses “Alice” as her four. SignerID to generate the Schnorr’s signature and the nth copy Table I summarizes the comparison results. The cost is uses “Alice-n” as its SignerID. Thus, Alice-n cannot replay evaluated by counting the number of exponentiations in a Alice’s signature back to Alice and vice versa. This solution DSA-like group setting or the number of multiplications in an is also generically applicable to fix the self-communication ECDSA-like group setting. In the former case, it takes a full problem in past protocols [7], [9], [11], [13], [20]. exponentiation to validate the prime order of a group element Though self-communication is considered a useful feature while in latter, this operation is essentially free. This explains [7], one should be careful to enable this feature only when the difference of one operation between the second and third it is really needed. This is because, when enabled, it will columns in Table I. have negative impact on the theoretical security. In Section We also compare the symmetry property of the protocols. IV, we have explained that, under normal operations (using The YAK protocol is completely symmetric. The symmetry different certificates), an attacker cannot learn ga·a in any of a protocol is not any compulsory requirement, but it can case. However, if self-communication is enabled in YAK, we significantly simplify the protocol analysis. For example, the essentially allow a = b, hence the attacker can learn ga·a from proof that Alice’s session key is secure must apply to Bob a corrupted session. This implies we would need a stronger based on symmetry; this reduces the required proofs by half. assumption than CDH to prove the “session key security”. The SIG-DH protocol was described in [11] and formally This is undesirable, but to our best knowledge, no PK-AKE proven secure in the Canetti-Krawczyk (CK) model. However, protocol is reducible to the CDH assumption with the self- the paper does not explicitly specify a signature algorithm. communication enabled. In comparison, in NAXOS [13] and This makes it difficult to assert the exact cost and security as- HMQV [7], the attacker can learn ga·a from a corrupted sumptions because they depend on the choice of the signature session regardless whether the self-communication is enabled 3 4 algorithm. The attack presented in [13] indicates SIG-DH does (and furthermore he can learn ga , ga ,...). not fulfill the private key security requirement. Consequently, it does not satisfy the session key security requirement (since VI.COMPARISON the private key security cannot be assured in the first place). In this section, we compare YAK with past work. First of Another limitation with SIG-DH is that if the user’s digital all, we briefly explain why attacks that we described on past signature is captured, his real identity will be revealed. PK-AKE schemes are not applicable to YAK. YAK follows a The HMQV protocol is due to Krawczyk [7]. The pro- completely different design from SIG-DH, and is not part of tocol is revised in [8] to address the Menezes-Ustaoglu’s the signature-based PK-AKE family. By design, it prevents the small subgroup attack by adding a prime-order validation disclosure of session-specific transient secrets from compro- step (otherwise, the protocol will fail the private key security mising the long-term private key (see Theorem 1). In addition, requirement). This revision makes the total number of expo- YAK is free from the two new attacks on HMQV. It resists the nentiations be 3.5. The HMQV only requires the CA to check invalid public key attack as it requires the Proof of Possession the submitted public key is not zero. However, as shown in of the private key during the CA registration (following the [15], if the attacker is allowed to register “1” as his public 9

Exp Mul assum- CA Pri-key Ses-key FFS Self Allow Symmetry DL EC ptions chk sec sec com anonym SIG-DH – – – PoP × × X × × × HMQV 3.5 2.5 GDH, RO not 0, 1 X × X × X X MQV 3.5 2.5 N/A PoP X X X × X × NAXOS 5 (+1) 4 GDH, RO not 0 X X X × X × YAK 5 4 CDH, RO PoP X X X X X X Table I COMPARISON BETWEEN PK-AKE SCHEMES.

key, he can launch an unknown key-sharing attack against the assumes the attacker is unable to solve the CDH problem even one-pass version of the HMQV protocol. So we add the check when he has access to a Decision Diffie Hellman oracle [7], that the public key is not “1” either. We need to caution that [13]. Clearly, it is a stronger assumption than CDH. even so, it is still not sufficient to prevent an unknown key- Finally, we study the efficiency of the protocol. In YAK, sharing attack against the HMQV in the post model where Alice needs to perform the following exponentiations: one to the responder’s identity is not pre-defined [17]. The “invalid compute an ephemeral public key (i.e., gx), one to compute public key” attack shown in Section II indicates HMQV does the knowledge proof for x (i.e., gvx ), two to verify the not fulfill the session key security requirement. knowledge proof for y (i.e., Y q and gry Y hy ) and finally one The MQV protocol was first designed by Menezes, Qu and to compute the session key (Y · B)x+a. Thus, that is five in Vanstone [20]. The original MQV design includes the user total: {gx, gvx ,Y q, gry Y hy , (Y · B)x+a}. identities only in the explicit key confirmation stage. Thus, Among these operations, some are merely repetitions. To the key confirmation not only serves to confirm the equality explain this, let the bit length of the exponent be L = x of the session key, but also to confirm the identities of the log2 q. Then, computing g alone would require roughly 1.5L users who are engaged in the key agreement. This arrangement multiplications which include L square operations and 0.5L has the drawback that a secure MQV would require 3 passes. multiplications of the square terms. However, the same square As shown by Kaliski, without key confirmation, the 2-pass operations need not be repeated for other items with the com- MQV is subject to an unknown key sharing attack [26]. mon base. If we factor this in, it will take (1+0.5×3)L = 2.5L In [14], Menezes revised the MQV protocol by including to compute {gx, gvx , gry }, and another (1+0.5×2)L = 2L to the user identities into the key derivation function (similar compute {Y q,Y hy } and finally 1.5L to compute (Y · B)x+a. to HMQV). This change prevents the Kaliski’s attack and Hence, that is in total 6L, which is equivalent to 6L/1.5L = 4 improves the round efficiency as the 2-pass MQV can now usual exponentiations. This is quite comparable to the 3.5 provide implicit authentication. Unfortunately, this change also exponentiations in MQV (which cannot reuse the square terms breaks the symmetry in the original design. Strictly speaking, since the bases are all different). the modified MQV protocol is no longer one-round (due to the need to determine the order of the two identities in the VII.CONCLUSION key derivation function [14]). This paper presents a comprehensive investigation on the The NAXOS protocol is formally proven secure in the subject of the key exchange protocols and is organized in extended Canetti-Krawczyk model (eCK) model [13]. The two parts. In the first part, several key exchange protocols are eCK claims to be the “strongest” formal model, but this claim critically analyzed. The analysis reveals a number of practical is disputed in [15]. In Section II, we also pointed out a subtle flaws in the design as well as theoretical deficiencies in the for- flaw in the definition of the “session specific transient secrets” mal model. Two new attacks on the HMQV protocol are also in the NAXOS security proofs. The NAXOS protocol requires reported; both attacks indicate the basic authentication failure 5 exponentiations (see Figure 2). Same as in HMQV, the in the protocol despite that HMQV has been “formally proven protocol allows the CA to certify any non-zero binary strings secure”. The reported attacks are caused by sidestepping a as public keys. However, NAXOS requires users to verify the prudent engineering principle, namely the sixth principle. In other party’s certified public key must lie in the correct prime- the second part, a new authenticated key agreement protocol, order group before key agreement. This requires one extra called YAK, is presented. The new protocol follows the sixth exponentiation, which is not counted in the NAXOS paper. principle and is built on well-established cryptographic primi- Hence, we add this extra cost (in the braces) in the table. tives such as Schnorr signature. It robustly resists all currently On the security side, which is our primary concern, the known attacks, meanwhile achieving comparable efficiency to YAK protocol has clear advantages. The security of the pro- the MQV and HMQV protocols. tocol (using two different certificates) rests on the Computa- tional Diffie-Hellman (CDH) assumption in the random oracle model. In comparison, the original Diffie-Hellman protocol ACKNOWLEDGMENT depends on the same CDH assumption. The random oracle is We thank Alfred Menezes and Berkant Ustaoglu for their needed since our protocol depends on the Schnorr’s signature. generous advice and many invaluable comments. We thank The formal proofs of NAXOS and HMQV depend on a less anonymous reviewers at FC’10 for many constructive feed- common Gap Diffie-Hellman (GDH) assumption. The GDH backs on the earlier conference version of the paper. Finally, 10 we are obliged to thank Lihong Yang for helping improve the [27] C.P. Schnorr, “Efficient signature generation by smart cards,” Journal of readability of the paper. Cryptology, Vol. 4, No. 3, pp. 161-174, 1991. [28] B. Ustaoglu, “Comparing SessionStateReveal and EphemeralKeyRe- veal for Diffie-Hellman protocols,” The Provable Security Conference, REFERENCES ProvSec’09, LNCS, Nov, 2009. [29] IEEE P1363 Standard Specifications For Public-Key Cryptography, http: [1] W. Diffie and M.E. Hellman, “New directions in cryptography,” IEEE //grouper.ieee.org/groups/1363/index.html. Transactions on Information Theory, vol. 22, pp. 644-654, 1976. [2] D. Stinson, Cryptography: theory and practice, Third Edition, Chapman & Hall/CRC, 2006. [3] D. Jablon, “Strong password-only authenticated key exchange," ACM Computer Communications Review, Vol. 26, No. 5, pp. 5-26, 1996. [4] S. Bellovin and M. Merritt, “Encrypted Key Exchange: password-based protocols secure against dictionary attacks,” Proceedings of the IEEE Symposium on Research in Security and Privacy, May 1992. [5] F. Hao, P. Ryan, “Password authenticated key exchange by juggling,” the 16th International Workshop on Security Protocols, SPW’08, Cam- bridge, UK, May 2008. [6] R.J. Anderson, Security Engineering : A Guide to Building Dependable Distributed Systems, Second Edition, New York, Wiley 2008. [7] H. Krawczyk, “HMQV: a high-performance secure Diffie-Hellman protocol,” Advances in Cryptology – CRYPTO 2005, LNCS 3621, pp. 546- 566, 2005. A longer version available at http://eprint.iacr.org/2005/176. pdf. [8] H. Krawczyk, “HMQV in IEEE P1363,” submission to the IEEE P1363 Standardization Working Group, July 7, 2006. Avail- able at http://grouper.ieee.org/groups/1363/P1363-Reaffirm/submissions/ krawczyk-hmqv-spec.pdf [9] K. Lauter, A. Mityagin, “Security analysis of KEA authenticated key exchange protocol,” PKC’06, LNCS 3958, pp. 378-394, 2006. [10] A.J. Menezes, P.C. van Oorschot and S.A. Vanstone, Handbook of applied cryptography, CRC Press, 1996. [11] R. Canetti , H. Krawczyk, “Analysis of key-exchange protocols and their use for building secure channels,” Eurocrypt’01, pp.453-474, 2001. [12] W. Diffie, P.C. van Oorschot, and M.J. Wiener, “Authentication and authenticated key exchanges,” Designs, Codes and Cryptography, pp. 107-125, 1992. [13] B. LaMacchia, K. Lauter, A. Mityagin, “Stronger security of authenticated key exchange,” Provable Security, LNCS 4784, pp. 1-16, 2007. [14] A. Menezes, B. Ustaoglu, “On the importance of public-key validation in the MQV and HMQV key agreement protocols,” INDOCRYPT’06, LNCS 4329, pp. 133-147, 2006. [15] C.J.F. Cremers, “Session-state reveal is stronger than ephemeral key reveal: attacking the NAXOS authenticated key exchange protocol,” ACNS’09, LNCS 5536, pp. 20-33, 2009. [16] F. Bao, R.H. Deng, H. Zhu, “Variations of Diffie-Hellman problem,” Proceeding of Information and Communication Security, LNCS 2836, pp. 301-312, 2003. [17] A. Menezes, B. Ustaoglu, “Comparing the pre- and post-specified peer models for key agreement,” Information Security and Privacy, LNCS 5107, pp. 53-68, 2008. [18] B. Ustaoglu, “Obtaining a secure and efficient key agreement protocol for (H)MQV and NAXOS,” Designs, Codes and Cryptography, Vol. 46, No. 3, pp. 329-342, 2008. [19] C. Mitchell, Security for Mobility, The Institution of Electrical Engi- neers, 2004. [20] L. Law , A. Menezes , M. Qu , J. Solinas , S. Vanstone, “An efficient protocol for authenticated key agreement,” Designs, Codes and Cryptography, Vol. 28 , No. 2, pp. 119-134, 2003. [21] C. Boyd, A. Mathuria, Protocols for authentication and key establish- ment, Springer-Verlag, 2003. [22] R.J. Anderson, R. Needham, “Robustness principles for public key protocols,” Crypto’95, LNCS 963, pp. 236-247, 1995. [23] O. Goldreich, S. Micali and A. Wigderson, “How to play any mental game or a completeness theorem for protocols with honest majority,” Proceedings of the nineteenth annual ACM Conference on Theory of Computing, pp. 218-229, 1987. [24] C.H. Lim and P.J. Lee, “A key recovery attack on discrete log-based schemes using a prime order subgroup,” Crypto ’97, LNCS 1295, pp. 249-263, 1997. [25] M. Bellare, R. Canetti, H. Krawczyk, “A modular approach to the design and analysis of authentication and key exchange protocols,” Proceedings of the thirtieth annual ACM symposium on Theory of Computing, pp. 419-428, 1998. [26] B. Kaliski, “An unknown key-sharing attack on the MQV key agreement protocol,” ACM Transactions on Information and System Security, Vol. 4. No. 3, 2001, pp. 275–288.